Issue42481
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2020-11-27 09:57 by copalco, last changed 2022-04-11 14:59 by admin.
Messages (5) | |||
---|---|---|---|
msg381940 - (view) | Author: Piotr Kopalko (copalco) | Date: 2020-11-27 10:16 | |
Path('example.toml').permissions() == Permissions(owner=(READ, WRITE, EXECUTE), group=(READ), other=(,)) |
|||
msg381943 - (view) | Author: Christian Heimes (christian.heimes) * | Date: 2020-11-27 11:09 | |
A word of warning: os.access() is not a good and sufficient permission check. It only checks DAC (discrete access control) permissions and suffers from TOCTOU issues. Operating systems have additional permission checks and security policies, for example mandatory access control (AppArmor, SELinux, Smack) and seccomp. |
|||
msg381948 - (view) | Author: Eryk Sun (eryksun) * | Date: 2020-11-27 13:31 | |
> os.access() is not a good and sufficient permission check. It > only checks DAC (discrete access control) permissions That's interesting. In Linux, for example, I would expect the access() and faccessat() system calls to also check mandatory permissions. I know from experience that at least the [i]mmutable file attribute is checked. That said, the Linux faccessat() system call doesn't support the flags parameter. So, according to the man page, AT_EACCESS (effective_ids=True) and AT_SYMLINK_NOFOLLOW (follow_symlinks=False) are implemented in the glibc wrapper by calling fstatat() instead. I presume that's limited to the discretionary st_mode permissions. For Windows, note that the current implementation of os.access() doesn't check the process/thread security context against mandatory and discretionary file security. Manually checking access is usually a discouraged practice, so there hasn't been any pressure to provide a real implementation. Regarding the example in msg381940, this seems confused. The title mentions os.access(), i.e. a result that checks F_OK or some combination of R_OK, W_OK, and X_OK. In theory, this can be supported in Windows. But the example shows POSIX owner-group-other permissions, which are not supported in Windows. As currently 'supported' by os.chmod() and st_mode in the os.stat() result, POSIX permissions in Windows are a fantasy that's based on a category error (that readonly is a granted permission, when it's actually a file attribute, similar to the POSIX immutable attribute) and assumptions (e.g. all files are readable, all directories are executable, all files with .com, .exe, .bat, and .cmd extensions are executable, and only these files are executable). |
|||
msg381953 - (view) | Author: Christian Heimes (christian.heimes) * | Date: 2020-11-27 15:35 | |
> That's interesting. In Linux, for example, I would expect the access() > and faccessat() system calls to also check mandatory permissions. I > know from experience that at least the [i]mmutable file attribute is > checked. access(2) takes extended file attributes like immutable bit and CAPS into account. For example it returns True for access("testfile", R_OK) for testfile with DAC permission 0o000 and process context with CAP_DAC_OVERRIDE. I would also bet that it handles POSIX ACLs correcty. But LSM and seccomp are not evaluated by access() -- at least SELinux is not. A seccomp syscall filter can have a BPF program attached to. It's a powerful feature that allows filtering and blocking by syscall argument. $ python3 >>> os.access("testfile", os.R_OK) True >>> open("testfile") Traceback (most recent call last): ... PermissionError: [Errno 13] Permission denied: 'testfile' # ausearch -m AVC ... time->Fri Nov 27 16:14:31 2020 type=AVC msg=audit(1606490071.292:4204): avc: denied { read } for pid=293015 comm="httpd" name="testfile" dev="dm-0" ino=399163 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:testcontext_t:s0 tclass=file permissive=0 |
|||
msg382178 - (view) | Author: Eryk Sun (eryksun) * | Date: 2020-11-30 19:16 | |
> takes extended file attributes like immutable bit Just to clarify, immutable isn't an extended attribute. It's one of the flag values in a Linux inode, which is supported by some filesystems such as ext4. It's in the API as STATX_ATTR_IMMUTABLE from the statx() stx_attributes field. > according to the man page, AT_EACCESS (effective_ids=True) and > AT_SYMLINK_NOFOLLOW (follow_symlinks=False) are implemented in > the glibc wrapper by calling fstatat() instead. I presume > that's limited to the discretionary st_mode permissions Apparently this is the case. For example, given 'spam.txt' is an immutable file: >>> os.access('spam.txt', os.W_OK) False >>> os.access('spam.txt', os.W_OK, follow_symlinks=False) True The AT_EACCESS flag has the same limitations in Linux, when it's not ignored. This issue with AT_SYMLINK_NOFOLLOW and AT_EACCESS will be resolved with the next release of glibc [1] on Linux systems running kernel 5.8+, which has a new faccessat2 system call that supports the flags parameter. Maybe initially a pathlib.Path method that implements an access check doesn't need to support the follow_symlinks and effective_ids parameters. --- [1] https://sourceware.org/git/?p=glibc.git;a=commit;h=3d3ab573a5f3071992cbc4f57d50d1d29d55bde2 |
History | |||
---|---|---|---|
Date | User | Action | Args |
2022-04-11 14:59:38 | admin | set | github: 86647 |
2020-11-30 19:16:41 | eryksun | set | messages: + msg382178 |
2020-11-30 18:58:44 | eryksun | link | issue42497 superseder |
2020-11-27 15:35:36 | christian.heimes | set | messages: + msg381953 |
2020-11-27 13:31:21 | eryksun | set | nosy:
+ eryksun messages: + msg381948 |
2020-11-27 11:09:35 | christian.heimes | set | nosy:
+ christian.heimes messages: + msg381943 |
2020-11-27 10:16:02 | copalco | set | messages: + msg381940 |
2020-11-27 10:07:41 | Maciej Olko | set | nosy:
+ Maciej Olko |
2020-11-27 09:57:19 | copalco | create |